It's been a minute since I've set this up in a corp/campus wifi scenario, but my notes for Verizon VoWiFi from the last time I did say that you need outbound udp/500 and udp/4500 IPSec protocol (IKE and ESP) permitted out the firewall. Tunnel endpoints live in 141.207.0.0/16, so hopefully that lets you scope the rule enough to please your ISO.
Devices will also need the ability to make an HTTPS request to https://spg.vzw.com/SSFGateway/e911Location/changeAddress As well, DNS queries for the ePDG domain wo.vzwwo.com need to be permitted. That _should_ be all you need to get it bootstrapped. Alex On Fri, Jul 17, 2020 at 12:39 PM Lyden, John C <[email protected]> wrote: > Hey gang. > > > > We’re setting up a unified wireless network for the students here, and to > get around the issues with Nintendo and NAT we devoted a large chunk of > public IP space to them. > > > > We’re aware that this is causing issues with wifi calling on Verizon, TMo > etc because it appears they initiate the SIP session inbound. > > > > Does anybody have a handy list of IP blocks and ports? T-Mobile had a > decent page but other providers just said “open up 4500 and 500” and our > ISO guys don’t like that. > > > > Thanks if someone can help. > > > > John C. Lyden > > Manager of Network Infrastructure, Infrastructure Services > > Division of Information Resources & Technology, Rowan University > > > -- *Alex Buie* Associate Network Engineer Datto, Inc. 475-288-4550 (o) 585-653-8779 (c) www.datto.com <http://www.datto.com/support-sig/> Join the conversation! [image: Facebook] <http://www.facebook.com/dattoinc> [image: Twitter] <https://twitter.com/Datto> [image: LinkedIn] <https://www.linkedin.com/company/5213385> [image: Blog RSS] <http://blog.datto.com/blog> [image: Slideshare] <http://www.slideshare.net/backupify> [image: Spiceworks] <https://community.spiceworks.com/pages/datto>
